I would highly recommend sanitising the data before input, using an if test to check $_POST exists before any DB operations, taking the post vars and assigning to new variables. I don't think '$_POST[key]' is going to parse correctly either:

Is your PHP really at the bottom of the page? If so, move it to the top before any html etc and add in an if statement to check if the form has been posted (i.e. if (isset($_POST)) { ...... Do your DB stuff here ..... }

Does your table name come from a variable as I notice you have written it as $####### in your query? If so then where is that variable being definined and if not then it should just be the table name.

Have you tried printing out your posted data to make sure it is being sent? If not then use print_r($_POST) to check what data (if any) is being posted.

If you're in one of those predicaments where cls.__private attributes just aren't enough since they can easily be accessed through inst._cls__private, and you need something a little more secure, here's ...